B.4 Project 1: Firewall and proxy server

StoreCompany's desire to add its catalog to the Internet sparked an audit into security and feasibility of the project. A firewall and demilitarized zone would be needed to separate the zSeries from the Internet. The conclusion was that infrastructure servers could be located as Linux guests under z/VM on the mainframe. This would have three desirable results: a standard setup for all guests, some savings in actual hardware, and a fairly simple project for introducing Linux on the mainframe into the production environment.

The team doing the Linux infrastructure work was composed of both mainframe and UNIX/Linux people. The infrastructure work went well. It was fast (75 days) and it was on budget. After the conclusion of Project 1, security had the structure needed to give the green light to the more complicated online catalog project.

As a follow up from Project 1, StoreCompany then decided to move its departmental Samba servers from UNIX and Windows servers to the mainframe. These servers hold data for the various StoreCompany departments.

B.4.1 Changes needed

  • Project 1 needs only 10% or so of an engine, but to prepare for future projects, one IFL is placed on order.

  • As soon as the IFL arrives, z/VM is set up on a new LPAR with the IFL, LPAR-C.

  • Acquire a Linux distribution, in this case, SuSE.

  • Configure firewall and proxy.

  • Test firewall and proxy.

  • Test IP filtering.

B.4.2 Implementation

Work started out with Linux on z/VM under the test LPAR, LPAR-A. Once that worked, an IFL was ordered as a trial, knowing that it could be sent back if things did not work. While the IFL order process was wending its way through StoreCompany, the project went into production using the test LPAR just before the IFL was to show up to accelerate delivery. Once the IFL was in place and the second z/VM was set up, ISPCompany just moved over the Linux image and the network attachment, and so forth. The final implementation is shown in Figure B-3.

  • The firewall and the proxy server were located on a new LPAR, LPAR-C, which uses an IFL engine.

    The proxy re-addresses requests from the Internet to a machine that can handle requests. That machine is on a network that is not visible to the outside. In other words, the proxy does two things: re-direction, and occasionally workload management.

  • As a second line of defense, IP filtering is used between proxy and the application images.

    IP filtering is used to ensure that traffic in and out is only from servers that have business here. For example, only traffic from the proxy is allowed in. This is the minimum needed to define the end of the DMZ.

  • Intrusion detection systems (IDS) will be implemented on three levels: Network, host, and Web.

Figure B-3. Logical setup of StoreCompany after locating the firewall and the proxy on the zSeries machine


Linux on the Mainframe
Linux on the Mainframe
ISBN: 0131014153
EAN: 2147483647
Year: 2005
Pages: 199

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net